Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

ITSI Entity import - Add your own saved search

0

I'm trying to import entities using a search. The docs say that I can use a saved search from a predefined list. I want to save my own. I've created a saved search that suits. It doesn't appear in the drop down. I've made it global, and even added it to the SA-IOTA app (Where the predefined ones live). I've tried cloning a predefined one, and amending it. I can never get to use my search in the Entity import.

I'm working in a SHC environment, so I can't save my work as a modular input, so I thought saving my search would at least cut down on the amount of work each time I have to update Entities.

Anyone any ideas how I can add my saved searche to the list of predefined ones ?

I created a local directory in the SA-IOTA app on the Search Head Deployer (in $SPLUNK_HOME/etc/shcluster/apps/SA-IOTA), and placed my search savedsearches.conf in the local directory just created. This keeps our searches separate from the Splunk supplied ones, and ensures mine don't get obliterated by an upgrade. When the bundle is deployed, Splunk merges it into default on each Search Head. Job done.

I'm curious what the difference was between when you cloned it etc versus when you got it to work. Yes you should put it in local for sure. Sorry I didn't mention that. I just tested default because it was easy.